Sometimes, when you get a call regarding a password reset, you can already guess who it’s from. Most organizations have one—that one employee who somehow manages to forget their password and gets locked out of their account more than everyone else. So you reset this forgetful user’s password, and sure enough, five minutes later they call back saying they’re locked out again. Only this time it’s because the password wasn’t updated in the many places they use it, like active user sessions, mapped network drives, etc. Manually sifting through the long list of applications and processes to find and replace stale credentials could easily take a few hours, hampering the productivity of both the forgetful user and the help desk technician.

“30% of help desk queries are related to password reset management and account lockouts.”

-Gartner-

Account lockout policies are designed to limit brute force attacks, which try to break into accounts by guessing multiple different passwords one after the other. However, getting the balance right with the account lockout threshold (the number of attempts before an account is locked out) and the account lockout duration (the amount of time an account stays locked out) can be tricky as each organization operates uniquely. Microsoft offers a number of recommendations to determine the optimum password policy settings, but these recommendations alone aren’t enough.

Below is a list of Microsoft’s tools that assist IT technicians in determining the source of account lockouts.

AcctInfo.dll

ALockout.dll

ALoInfo.exe

EnableKerbLog.vbs

EventCombMT.exe

LockoutStatus.exe

NLParse.exe

These tools can be used to find out why an account keeps getting locked out, but only if you’re still running the age-old Windows 2000, Windows NT, or Windows Server 2003 operating systems. Yes! You read that right.

Moreover, ALockout.dll—the tool that helps determine a process or application that is sending wrong credentials—cannot be used on servers that host network applications and services or on Microsoft Exchange servers, as it may prevent the Exchange store from starting.

If a business-critical application can’t access information on the network, it will fail, and end users won’t be able to access it. Since just a few minutes of service downtime could cost you financially and, even more importantly, damage your reputation as a service provider, you need to ensure user credentials are properly and promptly updated.

To identify and reset a locked out user account, you still have to wade your way through several interfaces, none of which are user-friendly.

Let’s use an organization with 1,000 employees that receives close to 10,000 help desk tickets annually as an example. Statistics say 30 percent of those tickets are regarding password resets. At $25 per ticket, the cost of password-related tickets alone would amount to $175,000 per year. ADAudit Plus’ Account Lockout Analyzer can help you cut costs by drastically reducing the amount of time spent resolving account lockouts.